Rijndael block cipher apparatus and encryption/decryption method thereof

ABSTRACT

A rijndael block cipher apparatus including an operational unit that efficiently performs a round operation for encrypting/decrypting a rijndael block cipher and an encryption/decryption method thereof are disclosed. The rijndael block cipher apparatus is mounted in a mobile terminal such as a cellular phone and a PDA or a smart card, which requires a high-rate and small-sized cipher processor, and can encrypt and decrypt important data that requires security at high speed and perform the round operation with respect to upper 64 bits and lower 64 bits which are divided from 128-bit input data. Thus, the cipher apparatus can reduce the time required for encryption/decryption of the rijndael block cipher and the size of the apparatus.

TECHNICAL FIELD

The present invention relates generally to a rijndael block cipherapparatus and an encryption/decryption method thereof, and moreparticularly to a rijndael block cipher apparatus which is mounted in acellular phone, PDA, smart card, and so on, and which can encrypt anddecrypt important data that requires security at high speed, and anencryption/decryption method thereof.

BACKGROUND ART

Rijndael algorithm is a symmetric secret-key encryption algorithm thatwas developed by Joan Daemen and Vincent Rijmen who are Belgianencryption developers, and then selected as a new AES (AdvancedEncryption Standard) by American NIST (National Institute Standards andTechnology) in October, 2000 or thereabouts.

The rijndael algorithm supports a variable block length of an SPN(Substitution-Permutation Network) structure, and enables the use of128-bit, 192-bit, and 256-bit keys with respect to respective blocklengths.

The number of rounds in the rijndael algorithm is determined by keylengths, and in the case of using the 128-bit block, it is recommendedto use 10, 12 and 14 rounds with respect to the 128-bit, 192-bit and256-bit keys, respectively.

Recently, it is known that the rijndael algorithm causes no problem insecurity even if the 128-bit key is used, and thus researches forhardware implementation of the rijndael algorithm using the key having alength of 128 bits has already been under way.

Since the rijndael algorithm encrypts/decrypts data for the rijndaelblock encryption/decryption by repeating round operations, and isespecially provided for supporting the variable block length of the SPNstructure, the encryption process of a rijndael block cipher isdifferent from the decryption process thereof. Typically, a roundoperation for the encryption process of the rijndael block cipher iscomposed of four transforms of substitution, shift_row, mixcolumn andadd-round-key, and a round operation for the decryption process iscomposed o four transforms of inverse-shift_row, inverse substitution,add-round-key and inverse mixcolumn. According to methods of performingthese transforms, times required for the round operation for therijndael block cipher and hardware resources to be used differ, andfurther the method of performing the transform is vital to theperformance of a rijndael cipher processor.

Accordingly, it is important to reduce the amount of hardware resourcerequired for the implementation of the round operation and the timerequired for performing of the round operation.

DISCLOSURE OF THE INVENTION

Therefore, the applicant has developed a rijndael block cipher apparatusincluding an operational unit that efficiently performs a roundoperation for encrypting/decrypting the rijndael block cipher and anencryption/decryption method thereof.

It is an object of the present invention is to solve the problemsinvolved in the prior art and to provide a rijndael block cipherapparatus which is mounted in a mobile terminal such as a cellar phoneand a PDA or a smart card, which requires a high-rate and small-sizedcipher processor, and which can encrypt and decrypt important data thatrequires security at high speed, and an encryption/decryption methodthereof.

In order to accomplish the above-mentioned object, a rijndael blockcipher apparatus according to an embodiment of the present inventioncomprises a round operation unit for transforming a 128-bit input keyinto a 128-bit round key for encryption or decryption, and storing the128-bit round key according to a value of a mode signal from a time whena round operation start signal, a round number signal and a bitselection signal for dividing the 128-bit input data into upper 64 bitsand lower 64 bits and selecting the upper or lower 64 bits are inputtedafter an encryption or decryption operation start signal and the modesignal are inputted, encrypting the 128-bit input data by dividing the128-bit input data into the upper 64 bits and the lower 64 bits and byperforming a round operation which is composed of transforms ofshift_row, substitution, mixcolumn and add-round-key with respect to thedivided upper 64 bits and lower b4 bits, respectively, and decryptingthe 128-bit input data by dividing the 128-bit input data into the upper64 bits and the lower 64 bits and by performing a round operation whichis composed of transforms of inverse-shift_row, inverse substitution,add-round-key and inverse mixcolumn with respect to the divided upper 64bits and lower b4 bits, respectively; a round operation control unit forcontrolling the round operation of the round operation unit bytransmitting the round operation start signal, the round number signaland the bit selection signal for dividing the 128-bit input data intothe upper 64 bits and lower 64 bits and selecting the upper or lower 64bits to the round operation unit from a time when the encryption ordecryption operation start signal and the mode signal are inputted; a64-bit data register for storing intermediate encryption or decryptiondata of the upper 64-bit input data generated during each roundoperation performed by the round operation unit; and a 128-bit dataregister for storing intermediate encryption or decryption data of thelower 64-bit input data generated during each round operation performedby the round operation unit as its lower 64 bits, and storing theencryption or decryption data generated as a result of a last roundoperation and stored in the 64-bit data register as its upper 64-bitdata.

In order to accomplish the above-mentioned object, a rijndael blockencryption method according to a first embodiment of the presentinvention comprises the steps of if a four-clock round operation startsignal and a round number signal are inputted from a round operationcontrol unit after an encryption or decryption operation start signaland a mode signal are inputted through a bus, a round key generationunit of a round operation unit transforming a 128-bit input key into a128-bit round key for encryption in accordance with a value of the modesignal inputted through the bus from a time when a first clock of theround operation start signal becomes ‘1’, and storing the 128-bit roundkey in an internal 128-bit round key register; if the four-clock roundoperation start signal and a bit selection signal are inputted from theround operation control unit, a shift/inverse-shift_row transform unitperforming a byte-shift of upper 64-bit data of 128-bit input datainputted through the bus and outputting the byte-shifted upper 64-bitdata through a first multiplexer when the first clock becomes ‘1’, and asubstitution/inverse-substitution transform unit successively performinga substitution of the upper 64-bit data, outputting the substitutedupper 64-bit data to a first demultiplexer, and storing the substitutedupper 64-bit data in a 64-bit data register; when a second clock of theround operation start signal becomes ‘1’, a mix/inverse-mixcolumntransform unit performing a mixcolumn of the upper 64-bit data outputtedthrough an encryption output terminal of the first demultiplexer andstored in the 64-bit data register, outputting the mixcolumn-transformedupper 64-bit data to a second demultiplexer, and storing themixcolumn-transformed upper 64-bit data in the 64-bit data register, theshift/inverse-shift_row transform unit simultaneously performing abyte-shift of lower 64-bit data of the 128-bit input data inputtedthrough the bus and outputting the byte-shifted lower 64-bit datathrough the first multiplexer, and the substitution/inverse-substitutiontransform unit successively performing a substitution of the lower64-bit data, outputting the substituted lower 64-bit data to the firstdemultiplexer, and storing the substituted lower 64-bit data in lower 64bits of a 128-bit data register; when a third clock of the roundoperation start signal becomes ‘1’ an add-round-key transform unitperforming an addition of the upper 64-bit data outputted through anencryption output terminal of the second demultiplexer and stored in the64-bit data register to upper 64-bit round key generated by the roundkey generation unit and storing the added upper 64-bit data in upper 64bits of the 128-bit data register, and a mix/inverse-mixcolumn transformunit simultaneously performing a mixcolumn of the lower 64-bit dataoutputted through the encryption output terminal of the firstdemultiplexer and stored in the 128-bit data register, outputting themixcolumn-transformed lower 64-bit data to the second demultiplexer, andstoring the mixcolumn-transformed lower 64-bit data in the lower 64 bitsof the 128-bit data register; and when a fourth clock of the roundoperation start signal becomes ‘1’, the add-round-key transform unitperforming an addition of the lower 64-bit data outputted through theencryption output terminal of the second demultiplexer and stored in the128-bit data register to lower 64-bit round key generated by the roundkey generation unit and storing the added lower 64-bit data in the lower64 bits of the 128-bit data register.

In order to accomplish the above-mentioned object, a rijndael blockdecryption method according to a first embodiment of the presentinvention comprises the steps of if a four-clock round operation startsignal and a round number signal are inputted from a round operationcontrol unit after an encryption or decryption operation start signaland a mode signal are inputted through a bus, a round key generationunit of a round operation unit transforming a 128-bit input key into a128-bit round key for decryption in accordance with a value of the modesignal inputted through the bus from a time when a first clock of theround operation start signal becomes ‘1’, and storing the 128-bit roundkey in an internal 128-bit round key register; if the four-clock roundoperation start signal and a bit selection signal are inputted from theround operation control unit, a shift/inverse-shift_row transform unitperforming a byte-inverse-shift of upper 64-bit data of 128-bit inputdata inputted through the bus and outputting the byte-inverse-shiftedupper 64-bit data through a first multiplexer when the first clockbecomes, ‘1’ and a substitution/inverse-substitution transform unitsuccessively performing an inverse substitution of the upper 64-bitdata, outputting the inverse-substituted upper 64-bit data to a firstdemultiplexer, and storing the inverse-substituted upper 64-bit data ina 64-bit data register; when a second clock of the round operation startsignal becomes ‘1’, an add-round-key transform unit performing anaddition of the upper 64-bit data outputted through a decryption outputterminal of the first demultiplexer and stored in the 64-bit dataregister to upper 64-bit round key generated by the round key generationunit, outputting the added upper 64-bit data to a third demultiplexer,and storing the added upper 64-bit data in the 64-bit data register, theshift/inverse-shift_row transform unit simultaneously performing abyte-inverse-shift of lower 64-bit data of the 128-bit input datainputted through the bus, and outputting the byte-inverse-shifted lower64-bit data through the first multiplexer, and thesubstitution/inverse-substitution transform unit successively performingan inverse substitution of the lower 64-bit data, outputting theinverse-substituted lower 64-bit data to the first demultiplexer, andstoring the inverse-substituted lower 64-bit data in lower 64 bits of a128-bit data register; when a third clock of the round operation startsignal becomes ‘1’, a mix/inverse-mixcolumn transform unit performing aninverse mixcolumn of the upper 64-bit data outputted through adecryption output terminal of the third demultiplexer and stored in the64-bit data register, outputting the inverse-mixcolumn-transformed upper64-bit data through a second demultiplexer, and storing theinverse-mixcolumn-transformed upper 64-bit data in upper 64 bits of the128-bit data register, and the add-round-key transform unitsimultaneously performing an addition of the lower 64-bit data outputtedthrough the decryption output terminal of the first demultiplexer andstored in the 128-bit data register to lower 64-bit round key generatedby the round key generation unit, outputting the added lower 64-bit datathrough the third demultiplexer, and storing the added lower 64-bit datain the lower 64 bits of the 128-bit data register; and when a fourthclock of the round operation start signal becomes ‘1’, themix/inverse-mixcolumn transform unit performing an inverse mixcolumn ofthe lower 64-bit data outputted through the decryption output terminalof the third demultiplexer and stored in the 128-bit data register,outputting the inverse-mixcolumn-transformed lower 64-bit data through asecond demultiplexer, and storing the inverse-mixcolumn-transformedlower 64-bit data in the lower 64 bits of the 128-bit data register.

In order to accomplish the above-mentioned object, a rijndael blockencryption method according to a second embodiment of the presentinvention comprises the steps of if a three-clock round operation startsignal and a round number signal are inputted from a round operationcontrol unit after an encryption or decryption operation start signaland a mode signal are inputted through a bus, a round key generationunit of a round operation unit transforming a 128-bit input key into a128-bit round key for encryption in accordance with a value of the modesignal inputted through the bus from a time when a first clock of theround operation start signal becomes ‘1’, and storing the 128-bit roundkey in an internal 128-bit round key register; if the three-clock roundoperation start signal and a bit selection signal are inputted from theround operation control unit, a shift/inverse-shift_row transform unitperforming a byte-shift of upper 64-bit data of 128-bit input datainputted through the bus and outputting the byte-shifted upper 64-bitdata through a first multiplexer when the first clock becomes ‘1’, and asubstitution/inverse-substitution transform unit successively performinga substitution of the upper 64-bit data, outputting the substitutedupper 64-bit data to a first demultiplexer, and storing the substitutedupper 64-bit data in a 64-bit data register; when a second clock of theround operation start signal becomes ‘1’, a mix/inverse-mixcolumntransform unit performing a mixcolumn of the upper 64-bit data outputtedthrough an encryption output terminal of the first demultiplexer andstored in the 64-bit data register, and outputting themixcolumn-transformed upper 64-bit data to a second demultiplexer, anadd-round-key transform unit successively performing an addition of thisupper 64-bit data to an upper 64-bit round key generated by the roundkey generation unit, and storing the added upper 64-bit data in the64-bit data register, the shift/inverse-shift_row transform unitsimultaneously performing a byte-shift of lower 64-bit data of the128-bit input data inputted through the bus, and outputting thebyte-shifted lower 64-bit data through the first multiplexer, and thesubstitution/inverse-substitution transform unit successively performinga substitution of the lower 64-bit data, outputting the substitutedlower 64-bit data to the first demultiplexer, and storing thesubstituted lower 64-bit data in lower 64 bits of a 128-bit dataregister; and when a third clock of the round operation start signalbecomes ‘1’, storing the 64-bit data added and then stored in the 64-bitdata register in upper 64 bits of the 128-bit data register, themix/inverse-mixcolumn transform unit simultaneously performing amixcolumn of the lower 64-bit data outputted through the encryptionoutput terminal of the first demultiplexer and stored in the 128-bitdata register, and outputting the mixcolumn-transformed lower 64-bitdata to the second demultiplexer, and the add-round-key transform unitsuccessively performing an addition of the lower 64-bit data to lower64-bit round key generated by the round key generation unit, and storingthe added lower 64-bit data in the lower 64 bits of the 128-bit dataregister.

In order to accomplish the above-mentioned object, a rijndael blockdecryption method according to a second embodiment of the presentinvention comprises the steps of if a three-clock round operation startsignal and a round number signal are inputted from a round operationcontrol unit after an encryption or decryption operation start signaland a mode signal are inputted through a bus, a round key generationunit of a round operation unit transforming a 128-bit input key into a128-bit round key for decryption in accordance with a value of the modesignal inputted through the bus from a time when a first clock of theround operation start signal becomes ‘1’, and storing the 128-bit roundkey in an internal 128-bit round key register; if the three-clock roundoperation start signal and a bit selection signal are inputted from theround operation control unit, a shift/inverse-shift_row transform unitperforming a byte-inverse-shift of upper 64-bit data of 128-bit inputdata inputted through the bus, and outputting the byte-inverse-shiftedupper 64-bit data through a first multiplexer when the first clockbecomes ‘1’, and a substitution/inverse-substitution transform unitsuccessively performing an inverse substitution of the upper 64-bitdata, outputting the inverse-substituted upper 64-bit data to a firstdemultiplexer, and storing the inverse-substituted upper 64-bit data ina 64-bit data register; when a second clock of the round operation startsignal becomes ‘1’, an add-round-key transform unit performing anaddition of the upper 64-bit data outputted through a decryption outputterminal of the first demultiplexer and stored in the 64-bit dataregister to upper 64-bit round key generated by the round key generationunit, and outputting the added upper 64-bit data to a thirddemultiplexer, a mix/inverse-mixcolumn transform unit successivelyperforming an inverse mixcolumn of the added upper 64-bit data,outputting the inverse-mixcolumn-transformed upper 64-bit data through asecond demultiplexer, and storing the inverse-mixcolumn-transformedupper 64-bit data in the 64-bit data register, theshift/inverse-shift_row transform unit simultaneously performing abyte-inverse-shift of lower 64-bit data of the 128-bit input datainputted through the bus, and outputting the byte-inverse-shifted lower64-bit data through the first multiplexer, and thesubstitution/inverse-substitution transform unit successively performingan inverse substitution of the lower 64-bit data, outputting theinverse-substituted lower 64-bit data to the first demultiplexer, andstoring the inverse-substituted lower 64-bit data in lower 64 bits of a128-bit data register; and when a third clock of the round operationstart signal becomes ‘1’, the add-round-key transform unit performing anaddition of the lower 64-bit data outputted through the decryptionoutput terminal of the first demultiplexer and stored in the 128-bitdata register to lower 64-bit round key generated by the round keygeneration unit and outputting the added lower 64-bit data to the thirddemultiplexer, the mix/inverse-mixcolumn transform unit successivelyperforming an inverse mixcolumn of the added lower 64-bit data,outputting the inverse-mixcolumn-transformed lower 64-bit data through asecond demultiplexer, and storing the inverse-mixcolumn-transformedlower 64-bit data in the lower 64 bits of the 128-bit data register, andsimultaneously storing the upper 64-bit data stored in the 64-bit dataregister in upper 64 bits of the 128-bit data register.

In order to accomplish the above-mentioned object, a rijndael blockencryption method according to a third embodiment of the presentinvention comprises the steps of if a two-clock round operation startsignal and a round number signal are inputted from a round operationcontrol unit after an encryption or decryption operation start signaland a mode signal are inputted through a bus, a round key generationunit of a round operation unit transforming a 128-bit input key into a128-bit round key for encryption in accordance with a value of the modesignal inputted through the bus from a time when a first clock of theround operation start signal becomes ‘1’, and storing the 128-bit roundkey in an internal 128-bit round key register; if the two-clock roundoperation start signal and a bit selection signal are inputted from theround operation control unit, a shift/inverse-shift_row transform unitperforming a byte-shift of upper 64-bit data of 128-bit input datainputted through the bus and outputting the byte-shifted upper 64-bitdata through a first multiplexer when the first clock becomes ‘1’, asubstitution/inverse-substitution transform unit successively performinga substitution of the upper 64-bit data, and outputting the substitutedupper 64-bit data through a first demultiplexer, a mix/inverse-mixcolumntransform unit performing a mixcolumn of the upper 64-bit data outputtedthrough an encryption output terminal of the first demultiplexer, andoutputting the mixcolumn-transformed upper 64-bit data to a seconddemultiplexer, and an add-round-key transform unit successivelyperforming an addition of this upper 64-bit data to an upper 64-bitround key generated by the round key generation unit, and storing theadded upper 64-bit data in a 64-bit data register; and when a secondclock of the round operation start signal becomes ‘1’, theshift/inverse-shift_row transform unit performing a byte-shift of lower64-bit data of the 128-bit input data inputted through the bus andoutputting the byte-shifted lower 64-bit data through the firstmultiplexer, and the substitution/inverse-substitution transform unitsuccessively performing a substitution of the lower 64-bit data, andoutputting the substituted lower 64-bit data to the first demultiplexer,the mix/inverse-mixcolumn transform unit successively performing amixcolumn of the lower 64-bit data, and outputting themixcolumn-transformed lower 64-bit data to the second demultiplexer, theadd-round-key transform unit successively performing an addition of thislower 64-bit data to lower 64-bit round key generated by the round keygeneration unit, and storing the added lower 64-bit data in lower 64bits of a 128-bit data register, and simultaneously storing the upper64-bit data stored in the 64-bit data register in upper 64 bits of the128-bit data register.

In order to accomplish the above-mentioned object, a rijndael blockdecryption method according to a second embodiment of the presentinvention comprises the steps of if a two-clock round operation startsignal and a round number signal are inputted from a round operationcontrol unit after an encryption or decryption operation start signaland a mode signal are inputted through a bus, a round key generationunit of a round operation unit transforming a 128-bit input key into a128-bit round key for decryption in accordance with a value of the modesignal inputted through the bus from a time when a first clock of theround operation start signal becomes ‘1’, and storing the 128-bit roundkey in an internal 128-bit round key register; if the two-clock roundoperation start signal and a bit selection signal are inputted from theround operation control unit, a shift/inverse-shift_row transform unitperforming a byte-inverse-shift of upper 64-bit data of 128-bit inputdata inputted through the bus, and outputting the byte-inverse-shiftedupper 64-bit data through a first multiplexer when the first clockbecomes ‘1’, a substitution/inverse-substitution transform unitsuccessively performing an inverse substitution of the upper 64-bitdata, and outputting the inverse-substituted upper 64-bit data to afirst demultiplexer, an add-round-key transform unit successivelyperforming an addition of the upper 64-bit data outputted through adecryption output terminal of the first demultiplexer to an upper 64-bitround key generated by the round key generation unit, and outputting theadded upper 64-bit data to a third demultiplexer, and amix/inverse-mixcolumn transform unit successively performing an inversemixcolumn of the added upper 64-bit data, outputting theinverse-mixcolumn-transformed upper 64-bit data through a seconddemultiplexer, and storing the inverse-mixcolumn-transformed upper64-bit data in a 64-bit data register; and when a second clock of theround operation start signal becomes ‘1’, the shift/inverse-shift_rowtransform unit performing a byte-inverse-shift of lower 64-bit data ofthe 128-bit input data inputted through the bus and outputting thebyte-inverse-shifted lower 64-bit data through the first multiplexer,the substitution/inverse-substitution transform unit successivelyperforming an inverse substitution of the lower 64-bit data, andoutputting the inverse-substituted lower 64-bit data to the firstdemultiplexer, the add-round-key transform unit successively performingan addition of the lower 64-bit data outputted through the decryptionoutput terminal of the first demultiplexer to a lower 64-bit round keygenerated by the round key generation unit, and outputting the addedlower 64-bit data to the third demultiplexer, the mix/inverse-mixcolumntransform unit successively performing an inverse mixcolumn of the addedlower 64-bit data, outputting the inverse-mixcolumn-transformed lower64-bit data through a second demultiplexer, and storing theinverse-mixcolumn-transformed lower 64-bit data in lower 64 bits of a128-bit data register, and simultaneously storing the upper 64-bit datastored in the 64-bit data register in upper 64 bits of the 128-bit dataregister.

BRIEF DESCRIPTION OF THE DRAWINGS

The above object, other features and advantages of the present inventionwill become more apparent by describing the preferred embodimentsthereof with reference to the accompanying drawings, in which:

FIG. 1 is a view illustrating the construction of a rijndael blockcipher apparatus according to the present invention.

FIG. 2 is a view illustrating the construction of a round operationunit.

FIG. 3 is a view illustrating the construction of a round key generationunit.

FIG. 4 is a first timing diagram illustrating a method of encrypting arijndael block cipher according to the present invention.

FIG. 5 is a first timing diagram illustrating a method of decrypting arijndael block cipher according to the present invention.

FIG. 6 is a second timing diagram illustrating a method of encrypting arijndael block cipher according to the present invention.

FIG. 7 is a second timing diagram illustrating a method of decrypting arijndael block cipher according to the present invention.

FIG. 8 is a third timing diagram illustrating a method of encrypting arijndael block cipher according to the present invention.

FIG. 9 is a third timing diagram illustrating a method of decrypting arijndael block cipher according to the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

Now, a rijndael block cipher apparatus and an encryption/decryptionmethod thereof according to preferred embodiments of the presentinvention will be described in detail with reference to the annexeddrawings.

Referring to FIG. 1, the rijndael block cipher apparatus according tothe present invention is primary intended to perform all roundoperations for encrypting and decrypting input data for rijndael blockencryption/decryption in the unit of 64 bits, and to generate round keysrequired for the round operations simultaneously with performing theround operations.

A round operation unit 100 transforms a 128-bit input key into a 128-bitround key RK for encryption or decryption and stores the 128-bit roundkey according to a value of a mode signal from a time when a roundoperation start signal Round_start, a round number signal Round_numberand a bit selection signal sel for dividing the 128-bit input data intoupper 64 bits and lower 64 bits and selecting the upper or lower 64 bitsfor each round operation are inputted after an encryption or decryptionoperation start signal start and the mode signal are inputted through abus 200 for rijndael block encryption/decryption.

If the value of the mode signal indicates ‘0’, the round operation unit100 encrypts the 128-bit input data by dividing the 128-bit input datainto the upper 64 bits and the lower 64 bits and performing a roundoperation which is composed of transforms of shift_row, substitution,mixcolumn and add-round-key with respect to the divided upper 64 bitsand lower b4 bits, respectively.

If the value of the mode signal indicates ‘1’, the round operation unit100 decrypts the 128-bit input data by dividing the 128-bit input datainto the upper 64 bits and the lower 64 bits and performing a roundoperation which is composed of transforms of inverse shift_row, inversesubstitution, add-round-key and inverse mixcolumn with respect to thedivided upper 64 bits and lower b4 bits, respectively.

A round operation control unit 300, if the encryption or decryptionoperation start signal and the mode signal are inputted through the bus200, controls the round operation of the round operation unit 100 bytransmitting the round operation start signal Round_start, the roundnumber signal Round_number and the bit selection signal for dividing the128-bit input data into the upper 64 bits and the lower 64 bits andselecting the divided upper or lower 64 bits for each round operation tothe round operation unit 100 from the time when the encryption ordecryption operation start signal and the mode signal are inputted.

A 64-bit data register 400 stores intermediate encryption or decryptiondata of the upper 64-bit input data generated during each roundoperation performed by the round operation unit 100.

A 128-bit data register 500 stores intermediate encryption or decryptiondata of the lower 64-bit input data generated during each roundoperation performed by the round operation unit 100 as its lower 64bits, and stores the encryption or decryption data generated as a resultof a last round operation and stored in the 64-bit data register 400 asits upper 64 bits.

Referring to FIG. 2, a round key generation unit 110 of the roundoperation unit 100 transforms the 128-bit input key into the 128-bitround key RK according to the value of the mode signal inputted throughthe bus 200 and stores the 128-bit round key in an internal 128-bitround key register if the round operation start signal and the roundnumber signal are inputted from the round operation control unit 300.

A shift/inverse-shift_row transform unit 120 of the round operation unit100, if the round operation start signal and a bit selection signal areinputted from the round operation control unit 300, performs abyte-shift of the upper 64 bits and the lower 64 bits divided from the128-bit input data inputted through the bus 200 by different numbersaccording to the value of the mode signal inputted through the bus 200,and outputs the byte-shifted upper 64 bits and lower 64 bits through afirst multiplexer 121 the output of which is controlled according to thevalue of the bit selection signal

A substitution/inverse-substitution transform unit 130 of the roundoperation unit 100 performs a substitution or an inverse substitution ofthe upper 64-bit data and the lower 64-bit data outputted from theshift/inverse-shift_row transform unit 120 using a substitution box(S-box) or an inverse-substitution box (SI-box) that provides a one-byteoutput with respect to a one-byte input.

A first demultiplexer 140 of the round operation unit 100 outputs theupper 64-bit data or the lower 64-bit data outputted from thesubstitution/inverse-substitution transform unit 130 through either ofits encryption output terminal ‘0’ and its decryption output terminal‘1’ according to the value of the mode signal

A mix/inverse-mixcolumn transform unit 150 of the round operation unit100 performs a mixcolumn of the upper 64-bit data or the lower 64-bitdata inputted through the encryption output terminal ‘0’ of the firstdemultiplexer 140, or performs an inverse mixcolumn of the upper 64-bitdata or the lower 64-bit data that has been add-round-key-transformed.

A second demultiplexer 160 of the round operation unit 100 outputs theupper 64-bit data or the lower 64-bit data outputted from themix/inverse-mixcolumn transform unit 150 through either of itsencryption output terminal ‘0’ and its decryption output terminal ‘1’according to the value of the mode signal

An add-round-key transform unit 170 of the round operation unit 100performs an addition of the upper 64-bit data or the lower 64-bit datainputted through the decryption output terminal ‘1’ of the firstdemultiplexer 140 or the encryption output terminal ‘0’ of the seconddemultiplexer 160 to the 128-bit round key RK for encryption ordecryption outputted from the round key generation unit 110.

A third demultiplexer 180 of the round operation unit 100 outputs theupper 64-bit data or the lower 64-bit data outputted from theadd-round-key transform unit 170 through either of its encryption outputterminal ‘0’ and its decryption output terminal ‘1’ according to thevalue of the mode signal

Referring to FIG. 3, a 128-bit prekey register 111 of the round keygeneration unit 110 stores the 128-bit input key inputted through thebus 200 as a prekey for transforming the 128-bit input key into the128-bit round key RK for encryption or decryption, and stores the128-bit round key RK generated after each round operation as a prekeyfor generating the round key used in the next round operation.

A 128-bit round key register 111 a of the round key generation unit 110stores the 128-bit round key RK for encryption or decryption for eachround operation. In FIG. 3, the 128-bit round key RK to be stored in the128-bit round key register 111 a is backed up to the 128-bit prekeyregister 111 after each round operation, and is used as a round key(i.e., prekey) of the previous round in the next round operation.

A constant storage unit 112 of the round key generation unit 110 storesconstant values Rcon determined according to the order of the roundindicated by the round number signal inputted from the round operationcontrol unit 300. It is preferable that the constant storage unit 112comprises a ROM.

A second multiplexer 113 of the round key generation unit 110 iscontrolled according to the value of the mode signal inputted throughthe bus 200, and selects and outputs either of 32-bit keys forencryption or decryption inputted from the 128-bit prekey register 111and the 128-bit round key register 111 a.

A shifter 114 of the round key generation unit 110 performs a cyclicshift of the 32-bit key inputted through the second multiplexer 113 tothe left by one byte.

A substitution transform unit 115 of the round key generation unit 110is composed of substitution boxes (S-boxes) for performing thesubstitution operation, and performs a substitution of the 32-bit keyshifted by the shifter 114.

A first XOR gate 116 of the round key generation unit 110 performs anXOR operation of the most significant byte of the 32-bit key outputtedfrom the substitution transform unit 115 with the constant value storedin the constant storage unit 112.

A round XOR operation unit 117 of the round key generation unit 110newly generates the 128-bit round key RK for encryption or decryption tobe stored in the 128-bit round key register 111 a for each round of theround operation by performing an XOR operation using a 32-bit valueobtained by adding output bits of the first XOR gate 116 to theremaining 24 bits except for the most significant byte of thesubstitution transform unit 115, the 128-bit round key (i.e., prekey) ofthe previous round stored in the 128-bit prekey register 111, and the128-bit round key RK of the new round stored in the 128-bit round keyregister 111 a.

A second XOR gate 118 of the round XOR operation unit 117 generates themost significant 32-bit round key RKO of the 128-bit round key forencryption or decryption of the new round by performing an XOR operationof the 32-bit value obtained by adding the output bits of the first XORgate 116 to the remaining 24 bits except for the most significant byteof the substitution transform unit 115, with the most significant 32-bitround key PKO of the 128-bit round key of the previous round.

A third XOR gate 118 a of the round XOR operation unit 117 generates a32-bit (i.e., 95^(th) bit to 64^(th) bit) round key RK1 of the 128-bitround key for encryption of the new round by performing an XOR operationof the most significant 32-bit (i.e., 127^(th) bit to 96^(th) bit) roundkey RKO of the 128-bit round key of the new round with a 32-bit (i.e.,95^(th) bit to 64^(th) bit) round key PK1 next to the most significant32 bits of the 128-bit round key of the previous round.

The third XOR gate 118 a also generates a 32-bit (i.e., 95^(th) bit to64^(th) bit) round key RK1 of the 128-bit round key for decryption ofthe new round by performing an XOR operation of the most significant32-bit (i.e., 127^(th) bit to 96^(th) bit) round key PKO of the 128-bitround key of the previous round with a 32-bit (i.e., 95^(th) bit to64^(th) bit) round key PK1 next to the most significant 32 bits.

A third multiplexer 119 of the round XOR operation unit 117 iscontrolled according to the value of the mode signal inputted throughthe bus 200, and selectively determines input signals of the third XORgate 118 a.

A fourth XOR gate 118 b of the round XOR operation unit 117 generates a32-bit (i.e., 63^(rd) bit to 32^(nd) bit) round key RK2 of the 128-bitround key for encryption of the new round by performing an XOR operationof a 32-bit (i.e., 95^(th) bit to 64^(th) bit) round key RK1 of the128-bit round key of the new round with a 32-bit (i.e., 63^(rd) bit to32^(nd) bit) round key PK2 of the 128-bit round key of the previousround.

The fourth XOR gate 118 b also generates a 32-bit (i.e., 63^(rd) bit to32^(nd) bit) round key RK2 of the 128-bit round key for decryption ofthe new round by performing an XOR operation of a 32-bit (i.e., 95^(th)bit to 64^(th) bit) round key PK1 of the 128-bit round key of theprevious round with a next 32-bit (i.e., 63^(rd) bit to 32^(nd) bit)round key PK2.

A fourth multiplexer 119 a of the round XOR operation unit 117 iscontrolled according to the value of the mode signal inputted throughthe bus 200, and selectively determines input signals of the fourth XORgate 118 b.

A fifth XOR gate 118 c of the round XOR operation unit 117 generates a32-bit (i.e., 31^(st) bit to 0^(th) bit) round key RK3 of the 128-bitround key for encryption of the new round by performing an XOR operationof a 32-bit (i.e., 63^(rd) bit to 32^(nd) bit) round key RK2 of the128-bit round key of the new round with a 32-bit (i.e., 31^(st) bit to0^(th) bit) round key PK3 of the 128-bit round key of the previousround.

A fifth XOR gate 118 c also generates a 32-bit (i.e., 31^(st) bit to0^(th) bit) round key RK3 of the 128-bit round key for decryption of thenew round by performing an XOR operation of a 32-bit (i.e., 63^(rd) bitto 32^(nd) bit) round key PK2 of the 128-bit round key of the previousround with a next 32-bit (i.e., 31^(st) bit to 0^(th) bit) round keyPK3.

A fifth multiplexer 119 b of the round XOR operation unit 117 iscontrolled according to the value of the mode signal inputted throughthe bus 200, and selectively determines input signals of the fifth XORgate 118 c.

The rijndael block cipher apparatus as constructed above according tothe present invention performs the encryption and decryption processesas follows:

First, referring to FIGS. 1 and 2, the encryption and decryptionoperation of the rijndael block cipher apparatus will be explained.

If a round operation starts, a round key generation process is performedas the initial 128-bit input key is inputted to the round key generationunit 100 through the bus 200, and 128-bit input data is inputted to theshift/inverse-shift_row transform unit 120.

At this time, the shift/inverse-shift_row transform unit 120 performs ashift/inverse-shift by different numbers of bytes as defined in therijndael block cipher algorithm.

If the round operation control unit 300 sends a signal that selectsupper 64 bits (sel=‘1’), the shift/inverse-shift_row transform unit 120outputs the upper 64 bits through the first multiplexer 121, while ifthe round operation control unit 300 sends a signal that selects lower64 bits (sel=‘0’), it outputs the lower 64 bits through the firstmultiplexer 121.

After the byte shift/inverse-shift_row operation as described above isperformed, the upper or lower 64-bit data is inputted to thesubstitution/inverse-substitution transform unit 130, and thesubstitution or inverse substitution of the data is performed by asubstitution box (S-box) or an inverse-substitution box (SI-box). Atthis time, the S-box and the SI-box serve as a substitution transformunit that outputs a one-byte output with respect to a one-byte input asdefined in a specification of the rijndael algorithm. Also, since it isenough that the substitution/inverse-substitution transform unit 130proposed according to the present invention processes only 64-bit dataat a time, it requires only 8 S-boxes or 8 SI-boxes.

If a mode signal that selects the encryption process (mode=‘0’) isinputted through the bus 200 after the substitution/inverse-substitutionoperation is performed as described above, the upper or lower 64-bitdata is inputted to the mix/inverse-mixcolumn transform unit 150 throughthe encryption output terminal ‘0’ of the first demultiplexer 140, whileif a mode signal that selects the decryption process (mode=‘1’) isinputted through the bus 200, the upper or lower 64-bit data is inputtedto the add-round-key transform unit 170 through the cmix/inverse-mixcolumn transform unit 150 through the decryption outputterminal ‘1’ of the first demultiplexer 140.

If the mode signal that selects the encryption process (mode=‘0’) isinputted through the bus 200, the 64-bit data that has passed throughthe mix/inverse-mixcolumn transform unit is inputted to theadd-round-key transform unit 170 through the encryption output terminal‘0’ of the second demultiplexer 160, while if the mode signal thatselects the decryption process (mode=‘1’) is inputted through the bus200, the 64-bit data is outputted through the decryption output terminal‘1’ of the second demultiplexer 160 as a resultant data of the roundoperation.

Also, if the mode signal that selects the encryption process (mode=‘0’)is inputted through the bus 200, the 64-bit data that has passed throughthe add-round-key transform unit is outputted through the encryptionoutput terminal ‘0’ of the third demultiplexer 180 as a resultant outputof the round operation, while if the mode signal that selects thedecryption process (mode=‘1’) is inputted through the bus 200, the64-bit data is inputted to the mix/inverse-mixcolumn transform unit 150through the decryption output terminal ‘1’ of the third demultiplexer180.

As described above, since the present invention is intended to reducethe use of hardware resources by sharing constituent elements commonlyused in the encryption process and the decryption process, therespective transform units have both functions of encryption anddecryption.

Meanwhile, referring to FIG. 3, the generation of round keys forencryption or decryption required for the encryption and decryptionoperation of the rijndael block cipher apparatus according to thepresent invention and performed by the round key generation unit 100will be explained.

If the 4-clock or 3-clock round operation start signal and the roundnumber signal are inputted from the round operation control unit 300 tothe round operation unit 100, the round operation starts.

If the round operation starts, the round key generation unit 110 startsto generate a round key RK of a new round using the 128-bit round key(i.e., prekey) of the previous round stored in the 128-bit prekeyregister 111.

If the mode signal that selects the encryption (mode=‘0’) is inputtedthrough the bus 200, the least significant 32 bits (PK3) of the 128-bitround key of the previous round of the 128-bit prekey register 111 isinputted to the shifter 114 through the second multiplexer 113.

By contrast, if the mode signal that selects the decryption (mode=‘1’)is inputted through the bus 200, the fifth XOR gate 118 c performs anXOR operation of the lower 64 bits PK2 and PK3 of the round key of theprevious round, and temporarily stores the XORed 32 bits as the leastsignificant 32 bits RK3 of a new round key. Simultaneously, this valueRK3 is inputted to the shifter 114 through the second multiplexer 113.

The 32-bit key inputted to the shifter 114 is shifted to the left by onebyte, and then substituted by the substitution transform unit 115composed of 4 S-boxes.

As described above, the most significant 8-bit key of thesubstitution-transformed 32-bit keys is XORed by the first XOR gate 116with the constant value Rcon determined according to the order of theround indicated by the round number signal inputted from the roundoperation control unit 300. The resultant 8 bits outputted from thefirst XOR gate 116 are added to the remaining 24 bits outputted from thesubstitution transform unit 115, and the added bits are inputted to thesecond XOR gate 118 of the round XOR operation unit 117.

Especially, by limiting the part in which the constant values related tothe round numbers are XORed during the round key generation process onlyto the upper 8 bits of the 32-bit data that has passed through thesubstitution transform unit 115, the effect of reduction of the hardwaresize can be obtained. For this, the rijndael algorithm specificationdescribes the structure that makes 32-bit constant value that is relatedto the round number by padding ‘0’ of 24 bits to the 8-bit constantvalue, and then performs an XOR operation of the 32-bit constant valuewith the 32-bit value that has passed through the substitution transformunit 115.

Then, the second XOR gate 118 performs an XOR operation of the 32 bits,which are obtained by adding the resultant 8 bits outputted from thefirst XOR gate 116 to the remaining 24 bits outputted from thesubstitution transform unit 115, with the most significant 32 bits PK0of the round key of the previous round, and stores the resultant valueof the XOR operation as the most significant 32-bit round key RK0 of thenew round.

After the most significant 32-bit round key RK0 required for encryptionor decryption of the new round is generated as described above, thethird XOR gate 118 a, in the case of encryption process, generates thenext 32-bit round key RK1 of the new round by performing an XORoperation of the most significant 32-bit round key RKO of the new roundwith the upper 32-bit (i.e., 95^(th) bit to 64^(th) bit) round key PK1of the previous round. In the case of decryption process, the third XORgate 118 a generates the next 32-bit round key RK1 of the new round byperforming an XOR operation of the most significant 32-bit round key PKOof the previous round with the next upper 32-bit round key PK1 of theprevious round.

At this time, the third multiplexer 119 determines the input values ofthe third XOR gate 118 a according to the mode signal that is inputtedthrough the bus 200 and that indicates the encryption process or thedecryption process.

After the 32-bit round key RK1 next to the most significant 32-bit roundkey RK0 of the new round is generated as described above, the next32-bit round key RK2 and the least significant 32-bit round key RK3 forencryption or decryption are generated by the fourth XOR gate 118 b andthe fifth XOR gate 118 c which operate in the same manner as the thirdXOR gate 118 a. The fourth multiplexer 119 a determines the input variesof the fourth XOR gate 118 b, and the fifth multiplexer 119 b determinesthe input values of the fifth XOR gate 118 c.

Especially, the time required to generate the 128-bit round key of thenew round in the unit of 32 bits corresponds to the whole 4-clock periodof the round operation start signal inputted from the round operationcontrol unit 300 in the case of encryption process, and corresponds tothe whole 2-clock period in the case of decryption process.

In practice, when the first clock of the encryption round operationstart signal becomes ‘1’, the most significant 32-bit round key RK0 ofthe new round is generated through the second XOR gate 118, and wheneverthe second, third and fourth clocks become ‘1’, the 32-bit round keysRK1, RK2 and RK3 of the new round are generated through the third XORgate 118 a, fourth XOR gate 118 b and fifth XOR gate 118 c,respectively. Also, when the first clock of the decryption roundoperation start signal becomes ‘1’, the most significant 32-bit roundkey RK0 of the new round is generated through the second XOR gate 118,and when the second clock becomes ‘1’, the 32-bit round keys RK1, RK2and RK3 of the new round are simultaneously generated through the thirdXOR gate 118 a, fourth XOR gate 118 b and fifth XOR gate 118 c.

In the case that the 3-clock round operation start signal is inputtedfrom the round operation control unit 300 to the round operation unit100, the round key generation unit 110 generates the encryption roundkey during the 2-clock period.

At this time, the process of generating the most significant 32-bit(i.e., 127^(th) bit to 96^(th) bit) round key RK0 of the 128-bit roundkey of the new round is performed when the first clock of the roundoperation start signal becomes ‘1’.

If the second clock of the round operation start signal becomes ‘1’, thethird XOR gate 118 a generates the 32-bit (i.e., 95^(th) bit to 64^(th)bit) round key RK1 of the 128-bit round key for encryption of the newround by performing an XOR operation of the most significant 32-bit(i.e., 127^(th) bit to 96^(th) bit) round key RKO of the 128-bit roundkey of the new round with the 32-bit round key PK1 next to the mostsignificant 32 bits of the 128-bit round key of the previous round.

Simultaneously, the fourth XOR gate 118 b generates a 32-bit (i.e.,63^(rd) bit to 32^(nd) bit) round key RK2 of the 128-bit round key forencryption of the new round by performing an XOR operation of aresultant value

(RK0 ⊕ PK1),

which is obtained by the third XOR gate's XOR operation of the mostsignificant 32-bit (i.e., 127^(th) bit to 96^(th) bit) round key RK0 ofthe 128-bit round key of the new round with the 32-bit (i.e., 95^(th)bit to 64^(th) bit) round key PK1 next to the most significant 32-bitround key of the 128-bit round key of the previous round, with the32-bit (i.e., 63^(rd) bit to 32^(nd) bit) round key PK2 of the previousround.

Simultaneously, the fifth XOR gate 118 c generates a 32-bit (i.e.,31^(st) bit to 0^(th) bit) round key RK3 of the 128-bit round key forencryption of the new round by performing an XOR operation of aresultant value

(RK0 ⊕ PK1),

which is obtained by the fourth XOR gate's XOR operation of the mostsignificant 32-bit (i.e., 127^(th) bit to 96^(th) bit) round key RK0 ofthe 128-bit round key of the new round that has been XORed by the thirdXOR gate 118 a with the 32-bit (i.e., 95^(th) bit to 64^(th) bit) roundkey PK1 next to the most significant 32-bit round key of the 128-bitround key of the previous round, with the 32-bit (i.e., 63^(rd) bit to32^(nd) bit) round key PK2 of the previous round to produce a resultantvalue

(RK0 ⊕ PK1 ⊕ PK2)

of XOR operation, and then performing an XOR operation of the resultantvalue

(RK0 ⊕ PK1 ⊕ PK2)

with the 32-bit (31^(st) bit to 0^(th) bit) round key PK3 of theprevious round.

In the case that the 2-clock round operation start signal is inputtedfrom the round operation control unit 300 to the round operation unit100, the round key generation unit 110 generates the encryption roundkey during the one-clock period.

At this time, the process of generating the most significant 32-bit(i.e., 127 bit to 96^(th) bit) round key RK0 of the 128-bit round key ofthe new round through the second XOR gate 118 is performed when theround operation start signal is inputted and the clock is simultaneouslyin a ‘0’ state.

If the first clock of the round operation start signal becomes ‘1’, thethird XOR gate 118 a generates the 32-bit (i.e., 95^(th) bit to 64^(th)bit) round key RK1 of the 128-bit round key for encryption of the newround by performing an XOR operation of the most significant 32-bit(i.e., 127^(th) bit to 96^(th) bit) round key RK0 of the 128-bit roundkey of the new round with the 32-bit round key PK1 next to the mostsignificant 32 bits of the 128-bit round key of the previous round.

Simultaneously, the fourth XOR gate 118 b generates a 32-bit (i.e., 63rd bit to 32^(nd) bit) round key RK2 of the 128-bit round key forencryption of the new round by performing an XOR operation of aresultant value

(RK0 ⊕ PK1),

which is obtained by the third XOR gate's XOR operation of the mostsignificant 32-bit (i.e., 127 bit to 96^(th) bit) round key RK0 of the128-bit round key of the new round with the 32-bit (i.e., 95^(th) bit to64 bit) round key PK1 next to the most significant 32-bit round key ofthe 128-bit round key of the previous round, with the 32-bit (i.e.,63^(rd) bit to 32^(nd) bit) round key PK2 of the previous round.

Simultaneously, the fifth XOR gate 118 c generates a 32-bit (i.e., 31bit to 0 bit) round key RK3 of the 128-bit round key for encryption ofthe new round by performing an XOR operation of a resultant value

(RK0 ⊕ PK1),

which is obtained by the fourth XOR gate's XOR operation of the mostsignificant 32-bit (i.e., 127^(th) bit to 96^(th) bit) round key RK0 ofthe 128-bit round key of the new round that has been XORed by the thirdXOR gate 118 a with the 32-bit (i.e., 95^(th) bit to 64^(th) bit) roundkey PK1 next to the most significant 32-bit round key of the 128-bitround key of the previous round, with the 32-bit (i.e., 63^(rd) bit to32^(nd) bit) round key PK2 of the previous round to produce a resultantvalue

(RK0 ⊕ PK1 ⊕ PK2)

of XOR operation, and then performing an XOR operation of the resultantvalue

(RK0 ⊕ PK1 ⊕ PK2)

with the 32-bit (31 bit to 0^(th) bit) round key PK3 of the previousround.

In the case that the 2-clock round operation start signal is inputtedfrom the round operation control unit 300 to the round operation unit100, the round key generation unit 110 generates the decryption roundkey during the one-clock period.

At this time, the process of generating the most significant 32-bit(i.e., 127^(th) bit to 96^(th) bit) round key RK0 of the 128-bit roundkey of the new round through the second XOR gate 118 is performed whenthe round operation start signal is inputted and the clock issimultaneously in a ‘0’ state.

If the first clock of the round operation start signal becomes ‘1’, thethird XOR gate 118 a generates the next 32-bit round key RK1 of the newround by performing an XOR operation of the most significant 32 bits PK0of the previous round with the next upper 32 bits PK1 of the previousround, and in succession the fourth XOR gate 118 b and the fifth XORgate 118 c, which operate in the same manner as the third XOR gate 118a, generate the next 32-bit round key RK2 for decryption and the leastsignificant 32-bit round key RK3. These processes are simultaneouslyperformed during the first clock period.

Now, the operation of the rijndael block cipher apparatus that performsthe encryption and decryption process as described above will beexplained in more detail in accordance with the number of clocks of theround operation start signal inputted from the round operation controlunit 300 to the round operation unit 100.

FIG. 4 is a first timing diagram illustrating a method of encrypting arijndael block cipher according to the present invention.

Referring to FIG. 4, if the four-clock round operation start signal andthe round number signal are inputted from the round operation controlunit 300 to the round operation unit 100 (step S400), the byte-shifttransform and the substitution operation are successively performed withrespect to the upper 64-bit data of the 128-bit round operation inputdata at the moment when the first clock becomes ‘1’ (step S401), andthese two processes are performed within one clock. The results of theseprocesses are stored in the 64-bit data register 400. Also, at themoment when the first clock of the round operation start signal becomes‘1’, the 128-bit round key generation process using the 128-bit roundinput key starts (step S401 a).

At the moment when the second clock of the round operation start signalbecomes ‘1’, the mixcolumn transform using the 64-bit data stored in the64-bit data register 400 is performed with its resultant values storedin the 64-bit data register 400 (step S402), and simultaneously, thebyte-shift transform and the substitution operation of the lower 64-bitdata of the round operation input data are successively performed (stepS402). These two processes are formed in one clock. Also, the resultantdata of the byte-shift transform and the substitution operation of thelower 64-bit data are stored in a lower 64-bit position of the 128-bitdata register 500 that stores the round operation results.

At the moment when the third clock of the round operation start signalbecomes ‘1’, the 64 bits stored in the 64-bit data register 400 areinputted to the add-round-key transform unit 170 so as to be added tothe upper 64 bits of the round key generated by the round key generationunit 110, and the resultant value is stored in the upper 64-bit positionof the 128-bit data register 500 (step S403). Also, the mixcolumntransform of the lower 64-bit data of the 128-bit data register 500 isperformed, and the resultant value is stored in the lower 64-bitposition of the 128-biat data register 500 (step S403).

At the moment when the fourth clock of the round operation start signalbecomes ‘1’, the lower 64 bits of the 128-bit data register 500 areinputted to the add-round-key transform unit 170 so as to be added tothe lower 64 bits of the round key generated by the round key generationunit 110, and the resultant value is stored in the lower 64-bit positionof the 128-bit data register 500 (step S404).

Accordingly, in the rijndael block cipher apparatus that performs theabove-described encryption process, the 128-bit data of the 128-bit dataregister 500 is used as the 128-bit round operation input data of thenext round, and the round key RK newly generated by the round keygeneration unit 110 and then stored in the 128-bit round key register111 a is also stored in the 128-bit prekey register 111 to be used asthe 128-bit round input key of the next round. Consequently, theencryption operation of one round is completed within a period of fourclocks.

In the case that the encryption method as illustrated in FIG. 4 isperformed by the rijndael block cipher apparatus according to thepresent invention, the round key generation unit 110 completes the roundkey generation process within a period of four clocks of the roundoperation start signal. That is, as shown in FIG. 4, the add-round-keytransform process (step S403), which is the process of adding the upper64-bit data to the round key, is performed after the third clock fromthe start of the round operation. After the second clock from the startof the round operation, only the upper 64-bit round key of the new roundis generated, and at this time point, there is no problem in performingthe encryption operation of the round operation since only the upper64-bit round key is used. Also, since the time point when the fourthclock starts after third clock for the round operation coincides withthe time point when all the 128-bit round keys are generated, there isno problem in performing the add-round-key transform process (step S404)for adding the lower 64-bit data to the lower 64-bit round key.

Also, in the in the rijndael block cipher apparatus that performs theabove-described encryption process, the 64-bit data register 400 is usedas the storage space of the intermediate data generated during theencryption process, and thus the result of the byte-shift transform ofthe upper 64-bit data does not affect the byte-shift transform of thelower 64-bit data. Also, since the upper 64-bit data and the lower64-bit data are simultaneously transformed, but are not transformed inthe same manner during the same clock period, the number of hardwaremodules required for the transform can be reduced by half. Especially,the data generated for each clock is updated and stored in one storagespace, and thus no additional storage space is required. That is, thiscase is directed to the structure that applies a pipeline structure butrequires no additional hardware, and this structure will be applied inthe same manner to methods of encrypting and decrypting the rijndaelblock cipher according to other embodiment of the present invention tobe explained later.

FIG. 5 is a first timing diagram illustrating a method of decrypting arijndael block cipher according to the present invention.

Referring to FIG. 5, if the four-clock round operation start signal andthe round number signal are inputted from the round operation controlunit 300 to the round operation unit 100 (step S500), thebyte-inverse-shift transform and the inverse-substitution operation aresuccessively performed with respect to the upper 64-bit data of the128-bit round operation input data at the moment when the first clockbecomes ‘1’ (step S501), and these two processes are performed withinone clock. At this time, the resultant data is stored in the 64-bit dataregister 400. Also, if the first clock of the round operation startsignal becomes ‘1’, the 128-bit round key generation process using the128-bit round input key starts (step S501 a).

At the moment when the second clock of the round operation start signalbecomes ‘1’, the add-round-key transform for adding the 64-bit datastored in the 64-bit data register 400 to the upper 64 bits of the roundkey generated through the round key generation unit 110 is performed,and the resultant data is stored in the 64-bit data register 400 (stepS502). Simultaneously, the byte-inverse-shift transform and theinverse-substitution of the lower 64-bit data of the round operationinput data are successively performed, and the resultant data is storedin the lower 64-bit position of the 128-bit data register (step S502).

At the moment when the third clock of the round operation start signalbecomes ‘1’, the 64-bit data stored in the 64-bit data register 400 isinputted to the mix/inverse-mixcolumn transform unit 150, and theresultant data of the inverse-mixcolumn transform is stored in the upper64-bit position of the 128-bit data register 500 (step S503).Simultaneously, the add-round-key transform for adding the lower 64-bitdata that has passed through the inverse-substitution operation to theround key generated from the round key generation unit 110 is performed,and the resultant data is stored in the lower 64-bit position of the128-biat data register (step S503).

At the moment when the fourth clock of the round operation start signalbecomes ‘1’, the lower 64-bit data that has passed through theadd-round-key transform is inputted to the mix/inverse-mixcolumntransform unit 150 to be inverse-mixcolumn-transformed, and theresultant data is stored in the lower 64-bit position of the 128-bitdata register 500 (step S504).

At this time, the 128-bit data of the 128-bit data register 500 is usedas the 128-bit round operation input data of the next decryption roundoperation, and the 128-bit round key RK that is the result of the roundkey generation is stored in the 128-bit prekey register 111 so as to beused as the 128-bit round input key of the next round operation.Consequently, the decryption operation of one round is completed withina period of four clocks.

In the case that the decryption method as illustrated in FIG. 5 isperformed by the rijndael block cipher apparatus according to thepresent invention, the round key generation unit 110 completes the roundkey generation process within a period of two clocks of the roundoperation start signal. That is, as shown in FIG. 5, since theadd-round-key transform process (step S502), which is the process ofadding the upper 64-bit round key to the 64-bit data, is performed afterthe second clock from the start of the round operation, all the 128-bitround keys have already been generated at the time point of the secondclock, and thus there is no problem in performing the round operation.

FIG. 6 is a second timing diagram illustrating a method of encrypting arijndael block cipher according to the present invention.

Referring to FIG. 6, if the three-clock round operation start signal andthe round number signal are inputted from the round operation controlunit 300 to the round operation unit 100 (step S600), the byte-shiftoperation and the substitution operation of the upper 64-bit data aresuccessively performed at the moment when the first clock becomes ‘1’,and the resultant data is stored in the 64-bit data register (stepS601). Also, the round key generation process is simultaneouslyperformed (step S601 a).

At the moment when the second clock of the round operation start signalbecomes ‘1’, the 64-bit data stored in the 64-bit data register 400 ismixcolumn-transformed, and then added to the upper 64-bkt round key ofthe resultant data of the add-round-key transform unit 110. Theresultant data of the add-round-key transform is stored in the 64-bitdata register 400 (step S602). Simultaneously, the byte-shift transformand the substitution operation of the lower 64-bit data are successivelyperformed, and the resultant data is stored in the lower 64-bit positionof the 128-bit data register 500 (step S602).

At the moment when the third clock of the round operation start signalbecomes ‘1’, the 64-bit data stored in the 64-bit data register 400 isinputted to the upper 64-bit position of the 128-bit data register 500,and the lower 64-bit data of the 128-bit data register 500 ismixcolumn-transformed and then added to lower 64-bit round key of theround key generated by the round key generation unit 110. The resultantdata is stored in the lower 64-bit position of the 128-bit data register500 (step S603).

At this time, the 128-bit data of the 128-bit data register 500 is usedas the 128-bit round operation input data of the next round operation,and the round key RK generated by the round key generation unit 110 isstored in the 128-bit prekey register 111 and then used as the 128-bitround input key of the next round. Consequently, the encryptionoperation of one round is completed within a period of three clocks.

In the case that the encryption method as illustrated in FIG. 6 isperformed by the rijndael block cipher apparatus according to thepresent invention, the round key generation unit 110 completes the roundkey generation process within a period of two clocks of the roundoperation start signal. That is, as shown in FIG. 6, since theadd-round-key transform process (step S602), which is the process ofadding the upper 64-bit round key to the upper 64-bit data, is performedafter the second clock from the start of the round operation, all the128-bit round keys have already been generated at the time point of thesecond clock, and thus there is no problem in performing the roundoperation.

FIG. 7 is a second timing diagram illustrating a method of decrypting arijndael block cipher according to the present invention.

Referring to FIG. 7, if the three-clock round operation start signal andthe round number signal are inputted from the round operation controlunit 300 to the round operation unit 100 (step S700), thebyte-inverse-shift transform and the inverse-substitution operation aresuccessively performed with respect to the upper 64-bit data of the128-bit round operation input data at the moment when the first clockbecomes ‘1’, and the resultant data is stored in the 64-bit dataregister 400 (step S701). Also, the round key generation process startssimultaneously with these transforms (step S701 a).

When the second clock of the round operation start signal becomes ‘1’,the add-round-key transform for adding the 64-bit data stored in the64-bit data register 400 to the upper 64-bit round key of the round keygenerated by the round key generation unit 110 is performed, and theresultant data is inputted to the mix/inverse-mixcolumn transform unit150. The inverse-mixcolumn-transformed data is stored in the 64-bit dataregister 400 (step S702). Simultaneously, the byte-inverse-shifttransform and the inverse-substitution transform of the lower 64-bitdata of the round operation input data are successively performed, andthe resultant data is stored in the lower 64-bit position of the 128-bitdata register (step S702).

At the moment when the third clock of the round operation start signalbecomes ‘1’, the 64-bit data stored in the 64-bit data register 400 isstored in the upper 64-bit position of the 128-bit data register 500,and the add-round-key transform for adding the lower 64-bit data of the128-bit data register 500 to the lower 64-bit round key of the round keygeneration unit 110 is performed. The resultant data of theadd-round-key transform is then inverse-mixcolumn-transformed, and theresultant data of the inverse-mixcolumn transform is stored in the lower64-bit position of the 128-bit data register 500 (step S703).

At this time, the 128-bit data of the 128-bit data register 500 is usedas the 128-bit round operation input data of the next round operation,and the 128-bit round key RK generated by the round key generation unit110 is stored in the 128-bit prekey register 111 so as to be used as the128-bit round input key of the next round operation. Consequently, thedecryption operation of one round is completed within a period of threeclocks.

In the case that the decryption method as illustrated in FIG. 7 isperformed by the rijndael block cipher apparatus according to thepresent invention, the round key generation unit 110 completes the roundkey generation process within a period of two clocks of the roundoperation start signal. That is, as shown in FIG. 7, since theadd-round-key transform process (step S702) for adding the upper 64-bitround key to the upper 64-bit data is performed after the second clockfrom the start of the round operation, all the 128-bit round keys havealready been generated at the time point of the second clock, and thusthere is no problem in performing the round operation.

FIG. 8 is a third timing diagram illustrating a method of encrypting arijndael block cipher according to the present invention.

Referring to FIG. 8, if the two-clock round operation start signal andthe round number signal are inputted from the round operation controlunit 300 to the round operation unit 100 (step S800), the byte-shifttransform, the substitution transform, the mixcolumn transform and theadd-round-key transform are successively performed with respect to theupper 64-bit data of the round input data when the first clock becomes‘1’, and the resultant data is stored in the 64-bit data register 400(step S801). Simultaneously, the round key generation process (step S801a) is performed, and the add-round-key transform of the upper 64-bitround key of the generated round key is performed. These processes areperformed in a period of one clock.

When the second clock of the round operation start signal becomes ‘1’,the byte-shift transform, the substitution transform, the mixcolumntransform and the add-round-key transform are successively performedwith respect to the lower 64-bit data of the round input data, and theresultant data is stored in the lower 64-bit position of the 128-bitdata register 500 (step S802). Also, the add-round-key transform of thelower 64-bit round key of the round key generated in the round keygeneration process is performed. At this time, the 64-bit data stored inthe 64-bit data register 400 is stored in the upper 64-bit position ofthe 128-bit data register 500, and the 128-bit round key RK newlygenerated by the round key generation unit 110 is stored in the 128-bitround key register 111 a and backed up in the 128-bit prekey register111. Consequently, the encryption operation of one round is completedwithin a period of two clocks.

In the case that the encryption method as illustrated in FIG. 8 isperformed by the rijndael block cipher apparatus according to thepresent invention, the round key generation unit 110 completes the roundkey generation process within a period of one clock of the roundoperation start signal. That is, as shown in FIG. 8, since theadd-round-key transform process (step S801) for adding the upper 64-bitround key to the upper 64-bit data is performed after the first clockfrom the start of the round operation, all the 128-bit round keys havealready been generated at the time point of the first clock, and thusthere is no problem in performing the round operation.

Actually, the round key generation unit 110 as illustrated in FIG. 3generates RK1 using RK0, and RK2 using RK1. The round key generationunit 110 does not generate RK3 using RK2, but generates RK0 in a statethat the round operation start signal is inputted and the clock becomes‘0’ simultaneously. When the first clock becomes ‘1’, the round keygeneration unit 110 generates RK1 by XORing RK0 with PK1, RK2 by XORingRK0 with PK1 and PK2, and RK3 by XORing RK0 with PK1, PK2 and PK3,simultaneously.

FIG. 9 is a third timing diagram illustrating a method of decrypting arijndael block cipher according to the present invention.

Referring to FIG. 9, if the two-clock round operation start signal andthe round number signal are inputted from the round operation controlunit 300 to the round operation unit 100 (step S900), thebyte-inverse-shift transform, the inverse-substitution transform, theadd-round-key transform and the inverse-mixcolumn transform aresuccessively performed with respect to the upper 64-bit data of theround input data when the first clock becomes ‘1’, and the resultantdata is stored in the 64-bit data register 400 (step S901). Theseprocesses are performed in a period of one clock. Simultaneously, theround key generation process (step S901 a) for decryption is performed,and the add-round-key transform of the upper 64-bit round key of theround key generated by the round key generation unit 110 is performed.

When the second clock of the round operation start signal becomes ‘1’,the byte-inverse-shift transform, the inverse-substitution transform,the add-round-key transform and the inverse-mixcolumn transform aresuccessively performed with respect to the lower 64-bit data of theround input data, and the resultant data is stored in the lower 64-bitposition of the 128-bit data register 500 (step S902). These processesare performed in a period of one clock. Also, the lower 64-bit round keyof the round key generated prior to one clock by the round keygeneration unit 110 is used for the add-round-key transform. At thistime, the 64-bit data stored in the 64-bit data register 400 is storedin the upper 64-bit position of the 128-bit data register 500, and the128-bit round key RK newly generated by the round key generation unit110 is stored in the 128-bit round key register 111 a and backed up inthe 128-bit prekey register 111. Consequently, the decryption operationof one round is completed within a period of two clocks.

In the case that the decryption method as illustrated in FIG. 9 isperformed by the rijndael block cipher apparatus according to thepresent invention, the round key generation unit 110 completes the roundkey generation process within a period of one clock of the roundoperation start signal. That is, as shown in FIG. 9, the add-round-keytransform process (step S901) for adding the upper 64-bit round key tothe upper 64-bit data is performed after the first clock from the startof the round operation, but all the 128-bit round keys have already beengenerated at the time point of the first clock, and thus there is noproblem in performing the round operation.

Actually, the round key generation unit 110 as illustrated in FIG. 3generates RK0 in a state that the round operation start signal isinputted and the clock becomes ‘0’ simultaneously. When the first clockbecomes ‘1’, the round key generation unit 110 generates RK1 by XORingRK0 with PK1, RK2 by XORing PK1 with PK2, and RK3 by XORing PK2 withPK3, simultaneously.

As described above, the rijndael block cipher apparatus according to theencryption method as illustrated in FIG. 8 and the decryption method asillustrated in FIG. 9 is a model suitable to be applied to a smart card,a USIM (User Subscriber Identity Module) card, a SIM card, etc., thathave a small size, a low power consumption, and a low operationalfrequency characteristic.

INDUSTRIAL APPLICABILITY

As apparent from the above description, the rijndael block cipherapparatus and the encryption/decryption method thereof according to thepresent invention can encrypt and decrypt important data that requiressecurity at high speed by being mounted in a mobile terminal such as acellular phone and a PDA or a smart card, which requires a high-rate andsmall-sized cipher processor, and can perform a round operation withrespect to upper 64 bits and lower 64 bits which are divided from128-bit input data. The present invention has the following effects:

First, the cipher apparatus according to the present invention has asmall size and can encrypt/decrypt real-time data at high speed byrepeatedly using the round operation device in the apparatus.

Second, since the cipher apparatus according to the present inventionencrypts/decrypts block cipher data in real time using the roundoperation device applying a rijndael algorithm, it can provide ahigher-graded security in comparison to an operation device applying theexisting DES (Data Encryption Standard).

Third, the rijndael encryption/decryption round operation device of thecipher apparatus according to the present invention has the advantagethat it can encrypt/decrypt block cipher data in real time by adding asimple controller that repeats the round operation for a predeterminednumber of times.

Fourth, the round operation device of the cipher apparatus according tothe present invention can rapidly encrypt/decrypt data in real timealthough it has a small size that is almost half the size of theexisting round operation device in the unit of 128 bits.

Fifth, the round operation device of the cipher apparatus according tothe present invention can be implemented using a proper method accordingto its application fields, and in the case of applying to a system thatis irrespective of the amount of hardware resource used, it can obtain atwo-times high speed of data encryption/decryption by applying a roundprocess in the unit of 128 bits instead of a round process in the unitof 64 bits.

The forgoing embodiments are merely exemplary and are not to beconstrued as limiting the present invention. The present teachings canbe readily applied to other types of apparatuses. The description of thepresent invention is intended to be illustrative, and not to limit thescope of the claims. Many alternatives, modifications, and variationswill be apparent to those skilled in the art.

1. A rijndael block encryption apparatus having M-bit input data andN-bit input keys and encrypting the M-bit input data by repeating for apredetermined number of times a round operation that includes transformsof shift_row, substitution, mixcolumn and add-round-key, the apparatuscomprising: a round operation unit including a round operation executionunit for processing the data in the unit of M/m bits (where in is 2, 3or 4) at lease in the transforms of substitution, mixcolumn andadd-round-key, and a round key generation unit for generating round keysin order to provide the round keys in the transform of theadd-round-key; a round operation control unit for controlling the roundoperation performed by the round operation unit; and a data storage unitfor storing M/n-bit intermediate data generated by the round operationunit at an intermediate stage of every round and M-bit data generated atan end stage of every round.
 2. The apparatus as claimed in claim 1,wherein the data storage unit includes at least one register, and atotal summed size of the register is equal to or larger than M(2m−1)/mbits.
 3. A rijndael block decryption apparatus having M-bit input dataand N-bit input keys and decrypting the M-bit input data by repeatingfor a predetermined number of times a round operation that includestransforms of inverse shift_row, inverse substitution, add-round-key andinverse mixcolumn, the apparatus comprising: a round operation unitincluding a round operation execution unit for processing the data inthe unit of M/m bits (where m is 2, 3 or 4) at lease in the transformsof inverse substitution, add-round-key and inverse mixcolumn, and around key generation unit for generating round keys in order to providethe round keys in the transform of add-round-key; a round operationcontrol unit for controlling the round operation performed by the roundoperation unit; and a data storage unit for storing M/n-bit intermediatedata generated by the round operation unit at an intermediate stage ofevery round and M-bit data generated at an end stage of every round. 4.The apparatus as claimed in claim 3, wherein the data storage unitincludes at least one register, and a total summed size of the registeris equal to or larger than M(2m−1)/m bits.
 5. A rijndael block cipherapparatus having M-bit input data and N-bit input keys, and encryptingthe M-bit input data by repeating for a predetermined number of times around operation for encryption that includes transforms of shift_row,substitution, mixcolumn and add-round-key or decrypting the M-bit inputdata by repeating for a predetermined number of times a round operation,for decryption that includes transforms of inverse shift_row, inversesubstitution, add-round-key and inverse mixcolumn, the apparatuscomprising: a round operation unit including a round operation executionunit for processing the data in the unit of M/m bits (where m is 2, 3 or4) at lease in the transforms of substitution, mixcolumn andadd-round-key in an encryption mode and for processing the data in theunit of M/m bits (where m is 2, 3 or 4) at lease in the transforms ofinverse substitution, add-round-key and inverse mixcolumn in adecryption mode, and a round key generation unit for generating roundkeys in order to provide the round keys in the transform ofadd-round-key; a round operation control unit for controlling the roundoperation performed by the round operation unit; and a data storage unitfor storing M/n-bit intermediate data generated by the round operationunit at an intermediate stage of every round and M-bit data generated atan end stage of every round.
 6. The apparatus as claimed in claim 5,wherein the round operation execution unit comprises: ashift/inverse-shift_row operation means for performing the shift_rowoperation and the inverse shift_row operation of the data; asubstitution/inverse-substitution operation means for performing thesubstitution operation and the inverse substitution operation of thedata; a mixcolumn/inverse-mixcolumn operation means for performing themixcolumn operation and the inverse mixcolumn operation of the data; andan add-round-key operation means for performing the add-round-keyoperation of the data.
 7. The apparatus as claimed in claim 6, whereinthe round operation execution unit farther comprises a plurality ofdemultiplexing means for controlling a flow of the data among thesubstitution/inverse-substitution operation means, themixcolumn/inverse-mixcolumn operation means and the add-round-keyoperation means so as to perform the round operation for the encryptionor the round operation for the decryption according to an input of amode signal that indicates the encryption or decryption mode.
 8. Theapparatus as claimed in any one of claims 5 to 7, wherein the datastorage unit includes at least one register, and a total summed size ofthe register is equal to or larger than M(2m−1)/m bits.
 9. A rijndaelblock encryption method for receiving M-bit input data and N-bit inputkeys and performing a round operation of the input data for apredetermined number of times, the method comprising: a round operationstop of performing a round operation with respect to all m data of M/nbits, the round operation including sub-steps of a shift_row transformfor performing a shift_row of the M-bit data from a previous round andoutputting only M/m-bit (where m is 2, 3 and 4) data corresponding to aselection signal to a next step, a substitution transform for performinga substitution of the M/m-bit data, a mixcolumn transform for performinga mixcolumn of the M/m-bit data, and an add-round-key transform forperforming an addition of round keys having the same size to the M/m-bitdata, respectively; and a round key generation step of generating theround keys in order to provide the round keys at the sub-step of theadd-round-key transform.
 10. The method as claimed in claim 9, whereinthe data having the size of M/ml bits can be processed through the stepsof the shift_row transform, the substitution transform, the mixcolumntransform and the add-round-key transform, respectively, and a pluralityof the M/m-bit data can be processed through the plural steps selectedamong the four steps at the same time according to a predeterminedtiming.
 11. A rijndael block decryption method for receiving M-bit inputdata and N-bit input keys and performing a round operation of the inputdata for a predetermined number of times, the method comprising: a roundoperation step of performing a round operation with respect to all mdata of M/n bits, the round operation including sub-steps of an inverseshift_row transform for performing an inverse shift_row of the M-bitdata from a previous round and outputting only M/m-bit (where m is 2, 3and 4) data corresponding to a selection signal to a next step, aninverse substitution transform for performing an inverse substitution ofthe M/m-bit inverse-shift_row-transformed data, an add-round-keytransform for performing an addition of round keys having the same sizeto the M/m-bit inverse-substitution-transformed data, respectively, andan inverse mixcolumn transform for performing an inverse mixcolumn ofthe M/m-bit add-round-key-transformed data; and a round key generationstep of generating the round keys in order to provide the round keys atthe sub-step of the add-round-key transform.
 12. The method as claimedin claim 11, wherein the data having the size of M/m bits can beprocessed through the steps of the inverse shift_row transform, theinverse substitution transform, the add-round-key transform and theinverse mixcolumn transform, respectively, and a plurality of theM/m-bit data can bc processed through the plural steps selected amongthe four steps at the same time according to a predetermined timing.